Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Release Date 08/April/2022
This sections provides you with list of new features and bug fixes for this release.
Added Datalake Provider Interface - Abstracted Vendor vs Datalake queries
Updated BB Vendor Repo Scan Status Queries -> migrated from GET to POST with payload to support larger queries
Updated GitHub Webhook validation logic - tested/validated webhook secrets
Added Redis Caching on a number of API calls to increase query performance (local, vendor, and datalake sources). Added cache invalidation logic
Added Query Logic support for Global query on the v2 UX (search by project, CVE, CWE, GHSA, Language)
Expanded queries on the vulnerabilities page to support filtering for issue type/title, severity, CVE, CWE, GHSA, state (fixed/not fixed)
Updated API for BB non-inclusive language notifications (added logic to work with vendor and datalake, track notifications locally)
NA
NA
Release Date: 28/March/2022
LFX Security provides a strong security for you open source code. LFX provides a clear view into the security of a given project and enables developers to identify and resolve vulnerabilities quickly and easily.
Some of the prominent features for LFX Security are:
Automated vulnerability scanning
License compliance management
Centralized project security dashboard
Fix Recommendations
Contextual vulnerability reporting
Detailed Dependency Tree
Neutral to Source Control Systems
Release Version Contextualization
Code secrets detection
Identification of Non Inclusive language in the code
This sections provides you with list of new features and bug fixes for this release.
The following list provides you an overview of new features implemented in this release:
Added Initial Redis Cache Support
Added Redis configuration
Added Redis Caching for BluBracket Code Secrets, BluBracket Non Inclusive Language, and Vulnerabilities queries
Added Applicable flag for Datalake Repository Vulnerability API
The following list provides you the bug fixes that are applied in this release:
Fixed CVE/CWE datalake query
Fixed Issue LFXSEC-2060: Repository - Manifest file display does not display for Licenses Tab of EasyCLA
Resolved Issue for Datalake Licenses for the project which has more than 1 Snyk org
Resolved Project Search Filter
Updated to Serverless 3.10.0
Updated Minimist Library
Resolves CWE-1321, CVE-2021-44906, GHSA-xvch-5gv4-984h issue with the minimist library - updated to version ^1.2.6
NA
You can visit the following links for more information on LFX Security:
\
\
The LFX Security tool provides security to the open source code. The LFX Security tool provides the following functionalities with respect to the open source project code:
Vulnerabilities Detection - To detect vulnerabilities in your code and provide fixes and recommendations to those vulnerabilities.
Code Secrets - Detect secrets such as passwords, credentials, keys, access tokens which might help hackers to hack your code.
Non Inclusive Language - Detects non inclusive words used in your code which might hurt and treat people unfairly.
You can refer LFX Security page for more information.
Release Date:22/March/2022
LFX Security provides a strong security for you open source code. LFX provides a clear view into the security of a given project and enables developers to identify and resolve vulnerabilities quickly and easily.
Some of the prominent features for LFX Security are:
Automated vulnerability scanning
License compliance management
Centralized project security dashboard
Fix Recommendations
Contextual vulnerability reporting
Detailed Dependency Tree
Neutral to Source Control Systems
Release Version Contextualization
Code secrets detection
Identification of Non Inclusive language in the code
This sections provides you with list of new features and bug fixes for this release.
The following list provides you an overview of new features implemented in this release:
Added Missing Snyk Project ID for Datalake Vulnerability response.
The following list provides you the bug fixes that are applied in this release:
Resolved issue in the Onboarding Status response when removing a GitHub Organization (removing BOT) from the PCC
Modified Repository statistics scheduler task functionality
Updated Linter Version work with Golang v1.18
Updated Serverless and Libs
Resolved [#LFXSEC-1829] OSSF security score (Datalake) (added Datalake queries for OSSF security scores)
NA
You can visit the following links for more information on LFX Security:
Release Date:23/March/2022
LFX Security provides a strong security for you open source code. LFX provides a clear view into the security of a given project and enables developers to identify and resolve vulnerabilities quickly and easily.
Some of the prominent features for LFX Security are:
Automated vulnerability scanning
License compliance management
Centralized project security dashboard
Fix Recommendations
Contextual vulnerability reporting
Detailed Dependency Tree
Neutral to Source Control Systems
Release Version Contextualization
Code secrets detection
Identification of Non Inclusive language in the code
This sections provides you with list of new features and bug fixes for this release.
NA
The following list provides you the bug fixes that are applied in this release:
Resolved PCC LFX Security Settings API Issues
Resolved API not implemented error (was using Datalake provider vs the vendor provider)
Removed the requirement to pass/provide the repository list for the Onboard Update settings API (not required if only adjusting the auto-enable flag
Removed Settings Update response payload (not used by PCC) and took a lot of resources
Updated to the serverless library to v3.8.0
NA
You can visit the following links for more information on LFX Security:
Release Date:18/March/2022
LFX Security provides a strong security for you open source code. LFX provides a clear view into the security of a given project and enables developers to identify and resolve vulnerabilities quickly and easily.
Some of the prominent features for LFX Security are:
Automated vulnerability scanning
License compliance management
Centralized project security dashboard
Fix Recommendations
Contextual vulnerability reporting
Detailed Dependency Tree
Neutral to Source Control Systems
Release Version Contextualization
Code secrets detection
Identification of Non Inclusive language in the code
This sections provides you with list of new features and bug fixes for this release.
The following list provides you an overview of new features implemented in this release:
BluBracket API Refactor - separated the vendor APIs and the datalake APIs into separate folders
Implemented LFXSEC-1828:Datalake Integration - API to Query Datalake Dependencies
Added Additional Project Statistics Checks
Added Markdown Scheduler Output Format for printing pending jobs/scheduled tags CLI
The following list provides you the bug fixes that are applied in this release:
BluBracket Org Lookup Fix - resolve an issue when a child project code secrets are queried and the organization information is stored with the parent. Added logic to cross-check the parent's org information
Fixed Snyk Projects not Found and Datalake fetch all dependencies Issues
Updated Project Stats CLI - cleaned up command-line flags and usage
Resolved Bug in the Vulnerabilities DL query related to the repository ID - now use the DL repo ID hashing function
Update code_secrets_details of Project statistics of project and parent projects
Resolved [#LFXSEC-1896] Feature/Datalake Integration
Resolved Project Stats - Code Secrets Details Encoding Error
Resolved Publish Stats Empty Message Issue
Resolved Additional Nil References After Service Composition Refactor, Resolved CSV Nil Pointer Issue
NA
You can visit the following links for more information on LFX Security:
Release Date:10/March/2022
LFX Security provides a strong security for you open source code. LFX provides a clear view into the security of a given project and enables developers to identify and resolve vulnerabilities quickly and easily.
Some of the prominent features for LFX Security are:
Automated vulnerability scanning
License compliance management
Centralized project security dashboard
Fix Recommendations
Contextual vulnerability reporting
Detailed Dependency Tree
Neutral to Source Control Systems
Release Version Contextualization
Code secrets detection
Identification of Non Inclusive language in the code
This sections provides you with list of new features and bug fixes for this release.
The following list provides you an overview of new features implemented in this release:
Added Vulnerability Sort Filter
The following list provides you the bug fixes that are applied in this release:
Updated Vulnerability Stats Query to support publishing metrics. Added missing fields, updated metrics producer
NA
You can visit the following links for more information on LFX Security:
Release Date:14/March/2022
LFX Security provides a strong security for you open source code. LFX provides a clear view into the security of a given project and enables developers to identify and resolve vulnerabilities quickly and easily.
Some of the prominent features for LFX Security are:
Automated vulnerability scanning
License compliance management
Centralized project security dashboard
Fix Recommendations
Contextual vulnerability reporting
Detailed Dependency Tree
Neutral to Source Control Systems
Release Version Contextualization
Code secrets detection
Identification of Non Inclusive language in the code
This sections provides you with list of new features and bug fixes for this release.
The following list provides you an overview of new features implemented in this release:
Added Badge Count and Total Project count on the project endpoint
Added Logic to Set Code Secrets Details for Parent Project
Added Snyk scan status to the Onboard status response
The following list provides you the bug fixes that are applied in this release:
Resolved Simple-Git Serverless Lib Vulnerability
Updated Project Foundation Summary Response
NA
You can visit the following links for more information on LFX Security:
Release Date:10/March/2022
LFX Security provides a strong security for you open source code. LFX provides a clear view into the security of a given project and enables developers to identify and resolve vulnerabilities quickly and easily.
Some of the prominent features for LFX Security are:
Automated vulnerability scanning
License compliance management
Centralized project security dashboard
Fix Recommendations
Contextual vulnerability reporting
Detailed Dependency Tree
Neutral to Source Control Systems
Release Version Contextualization
Code secrets detection
Identification of Non Inclusive language in the code
This sections provides you with list of new features and bug fixes for this release.
The following list provides you an overview of new features implemented in this release:
Added Publish Stats to Platform Logic
Added Project Repository Statistics Job for Scheduler CLI
Added Code Secrets Details for Foundation Page
Added GitHub Repo Description to Code Secrets Response
Backend API work for security wall design changes
Added Project Service Client API for Setting Project Repo Relationship
Optimisation of created services functionality for various location
Added IsFixable to Datalake Vul Publish Schema
Added Fixable Flag for Snyk Vulnerabilities
The following list provides you the bug fixes that are applied in this release:
Remove update Code Secrets code from update project statistics to fixed timeout issue
Resolved Scheduler TaskID Issue
CI/CD - Updated to Golang 1.17.7
CI/CD - Updated Serverless to v3.7.4
Updated GitHub Membership Job Details
Fixed datalake repository query statement
NA
You can visit the following links for more information on LFX Security:
LFX Security is a service that helps the open source developers identify and remediate security vulnerabilities in order to create more secure code. LFX security also detects code secrets and non inclusive language in your code. Projects that are part of the Linux Foundation database receive free weekly scans via the LFX Security service in order to detect vulnerabilities in code repositories. A public dashboard gives developers visibility into open security issues and paths to remediation.
Yes, if your project is set up on Linux Foundation database, then LFX Security automatically scans your code on a weekly basis, and adds any detected vulnerabilities to your project dashboards. Issues are classified as critical, high, medium, or low risk based on information in databases including Common Weakness Enumeration (CVE), Common Vulnerabilities and Exposures (CWE), GitHub Advisory Database (GHSA). An inventory of your project’s detected dependencies and licenses is mapped along with the dependency details. LFX Security also scans for code secrets and non inclusive language.
To understand more on this, please refer this link NVD.
LFX Security fetches the permissions from GitHub and maps those permissions into the following categories:
Owner/Admin -> GitHub admin permissions
Maintainer -> GitHub maintain permissions
Contributor -> GitHub triage, push, pull permissions.
These users are given elevated Contributor/Maintainer permission. They can dismiss irrelevant vulnerability issues, send notifications and mark issues as false positive.
Dependency and vulnerability scanning is currently supported for JavaScript, Node.js (npm), Java, Scala, Ruby, Python, Golang, and PHP.
On the Security Leaderboard, you can see "Vulnerabilities Fixed" count and "Top 10 projects most active in fixing vulnerabilities" count. In general, both counts should match.
"Vulnerabilities Fixed" value is a count of distinct (or unique) vulnerabilities found in all the projects that were scanned.
"Top 10 projects most active in fixing vulnerabilities" value is the total count of distinct or unique vulnerabilities in that particular project.
For example, if the "Vulnerabilities Fixed" count is 100, the "Top 10 projects most active in fixing vulnerabilities" when added should be 100. But on the Security Leaderboard, the "Top 10 projects most active in fixing vulnerabilities" count is always higher then "Vulnerabilities Fixed".
The reason behind this mismatch is repetition of vulnerabilities in other projects. These repeated vulnerabilities will lead to higher aggregate count when compared with distinct "Vulnerabilities Fixed" count.
LFX Security uses Snyk to scan a project’s Git-based repository and identifies dependencies’ licenses against the SPDX license list. License identification varies by ecosystem, but generally it is done by reviewing stated license on the package, retrieving metadata from the registry, and license information in manifest files.
For LFX Security, we are partnering with a few solutions providers where it makes sense. For example, projects can choose to allocate funds raised through the LFX Funding service to administer bug bounty programs through a partnership with HackerOne. Snyk provides daily vulnerability scanning for all projects on LFX (Funding and Mentorship) to identify vulnerabilities and dependencies — and to help manage Internet Protocol (IP) risk with license verification. BluBracket scans the code for code secrets and non inclusive language.
Firstly all projects in LFX Security automatically get dependency license scans. LFX Security provides a project and its maintainers with visibility into the full tree of direct and indirect third-party dependencies that Snyk detects for that leveraged by the project. Snyk also associates licenses with libraries and packages that are using those licenses in dependency tree. This reporting gives maintainers a simple, lightweight and zero-effort view into the array of third-party licenses that their project relies upon. It helps enable projects to make determinations about whether to avoid particular dependencies — for example, if their licenses might be incompatible with the project’s own license, IP policies and community objectives. It also helps projects identify their compliance obligations for the dependencies they use — for example, which license notices they need to reproduce when they distribute those dependencies.
Secondly, the Linux Foundation’s new EasyCLA (Contributor License Agreement) service tackles the difficult problem of ensuring that Contributor's assign IP rights on their source code to opensource projects. The new EasyCLA service also handles corporate authority considerations by requiring corporate EasyCLA to be signed by an authorized signatory of a company. It enables companies to control which of their employees are authorized to contribute to which projects under the signed EasyCLA . Depending on their own needs and processes, companies can take a fine-grained approach by specifying individual authorized contributors’ email addresses, or can easily authorize all employees across a domain name. The EasyCLA service facilitates all these workflows and ensures that code contributions can only be accepted after the contributor satisfies the EasyCLA requirements. Although the EasyCLA service is initially available to Linux Foundation-hosted projects, we hope to make it available to a broader set of projects, including those on LFX Security.
The license information is displayed as "Unknown" when Snyk API cannot find license information and returns "unknown" value to LFX Security.
The license information is displayed as empty when License field is blank with out having any license information. The Snyk API will be unable to find any information related to the license and the license information is displayed as empty.
Code secrets are private valuable information. LFX Security searches for different secrets in code, which include tokens, keys, IDs, credentials and passwords.
Non inclusive language are words that depict people unfairly in an insulting manner and exclude people based on their ethnicity, gender or color. Usage of these words is not expected use in the open source code. LFX Security scans for non inclusive language in the code.
The LFX Security tool will scan your open source project code to detect any vulnerabilities in it. The LFX Security tool provides automated scanning to detect potential vulnerabilities and weaknesses, proposing recommended fixes where available to help projects address top security concerns with respect to the open source project.
LFX Security has collaborated with BluBracket to scan for valuable private information in open source code, we call this information “code secrets”. Unearthing code secrets has made the open source projects more secure and the code security is enhanced to a great extent by detecting and monitoring the risks thus improving the code.
Diversity and inclusion initiative has been taken from the Linux Foundation when it comes to open source project. With this initiative, LFX Security in collaboration with BluBracket scans for non inclusive language. Non inclusive language that depict people unfairly in an insulting manner and exclude people based on their ethnicity, gender or color. Usage of these words or language is not expected use in the open source code.
The following table provides various roles and their respective permissions for LFX Security:
The following points explains in details about various permissions that are mentioned in the above table:
Full Access - Full Access permission allows to
View all tabs
Take action on Code Secrets
Notify developer on Non Inclusive language
Access to PCC (Project Control Center) to manage Vulnerabilities, Code Secrets and Non Inclusive language
View Access - View Access permissions allows to
View access to all tabs without access to PCC
Settings Access - Settings Access permission allows to
Access on PCC to manage Vulnerabilities, Code Secrets and Non Inclusive language
Dismiss Vulnerability - Dismiss Vulnerability allows to dismiss vulnerabilities detected in the project code if you feel that the detected vulnerability issue cannot be fixed.
Action Taken on Code Secrets - Action Taken on Code Secret allows to take action on the code secrets detected in the project code. You can take actions such as Resolve, Ignore and False Positive on Code Secrets.
Notification on Non Inclusive language - Notification on Non Inclusive language allows to notify the concerned developer on the Non Inclusive language detected in the project code.
Role | Full Access | View Access | Settings Access | Dismiss Vulnerability | Actions for Code Secrets | Notification for Non Inclusive Language |
---|
Community Program Manager | Yes | Yes | Yes | No | No | No |
Project Manager | Yes | Yes | Yes | No | No | No |
Project Maintainer | Yes | Yes | Yes | Yes | Yes | Yes |
Project (GitHub) Contributor | Yes | Yes | Yes | Yes | Yes | Yes |
Company Employee (Member) | No | Yes | No | No | No | No |
You have to onboard your project from GitHub to use LFX Security services. First you need to onboard your project to start scanning for vulnerabilities detection, code secrets and non inclusive language.
Onboarding projects into LFX Security is done from the PCC (Project Control Center). As part of this onboarding a Security Bot is installed on GitHub Organizations of the project.
You need to raise a ticket if you do not have access to PCC. Use this link to raise a support ticket to access PCC.
If you want to know more about PCC, please visit PCC website. You can refer PCC documentation for more information.
For more information on Security related activities that can be configured using PCC, refer Security PCC Documentation.
Onboarding projects into LFX Security is done from the PCC (Project Control Center). As part of this onboarding a Security Bot is installed on GitHub Organizations of the project.
To setup the Security service using PCC, perform the following steps:
1.Login into PCC.
2. Search for the required project. The Project dashboard appears. Click Security from the TOOLS STATUS tab.
You can also navigate to Security from the Vertical Sidebar navigation menu. Click Tools and then select Security.
4.Enter the GitHub organization name in the Organization Name and click Connect.
Make sure that you logged into the GitHub.
5.The Install Security Bot on GitHub.org instructions page appears. You can read the instructions on how to install the Security Bot from this page. Click Install Security Bot button.
6. A list of GitHub organization associated with the login account are listed and displayed. Select the required organization for which you want to install the Security bot.
7.The Install & Authorize LFx Security GitHub App page appears. This page provides the following information:
Information on the permission requested for the selected repositories. The LFX Security requests the following permissions from the GitHub:
Read access to administer, code, check commit status, lookup members, and other metadata.
Read and write access to organization hooks, pull requests, and repository hooks.
Installing and authorizing LFX Security GitHub App grants these permissions on your account:
Read access to emails
Access to the repositories. You can either provide access to all the repositories or selected repositories within the GitHub Organization.
Click Install & Authorize to install the LFX Security GitHub App.
For more information on permissions, refer GitHub App Permissions.
8.The LFX Security Service GitHub app is installed successfully. You can see the installation success message.
You will also receive an email after successful installation of the LFX Security GitHub App.
9.In the PCC page, you need to click I'm Done Installing the Security Bot after completing the installation process.
10.You can see the list of GitHub organizations along with the repositories for which the Security bot has been successfully configured.
A green dot present with the GitHub organization name indicates that the Security bot is successfully installed.
GitHub has been authorized with the following permissions:
Administration: read-only (so that we can discover new repositories, identify when repositories are transferred, determine if a repository is archived, deleted, etc.)
Contents: read-only (view details about the repositories)
Metadata: read-only - required
Pull Requests: read-write - allows Snyk to create pull requests based on fixable vulnerabilities (e.g. version bumps)
Webhooks - read-write - required to add callbacks when PRs are created, when updates are pushed to the main branch, etc.
Commit Status - read-only - get commit status details
Webhooks - read-write - required to add callbacks when events occur for the organization
Email addresses - read-only - ability to read public email ID's.
As on 12/02/2021 adjusted permissions to include webhooks. These additional configurations will allow us to monitor changes in user permissions. The plan is to collect the initial list of permissions when the GitHub app is installed and add the details to the datalake. Additionally, we want to register and receive any callbacks which change the permissions model in the future.
You can uninstall the security bot at any point of time from the PCC. When you uninstall the security bot, the security scanning for the GitHub organization is discontinued. You cannot see the vulnerabilities associated with your GitHub organizations.
To uninstall Security service from PCC, perform the following steps:
1.Login into PCC.
3.The Uninstall Security Bot on GitHub.org instructions page appears. You can read the instructions on how to uninstall the Security Bot from this page. Click Uninstall Security Bot button.
4.The LFx Security GitHub App opens in a new tab. Click Uninstall from the Danger Zone.
You can uninstall the Security bot from all the repositories associated with your GitHub organization by selecting All Repositories or select specific repositories for which you want to uninstall the Security bot by selecting Only Select Repositories.
5. A pop message appears informing that the Security bot will be uninstalled for the selected repositories. Click OK to continue with the uninstallation process.
6.In the PCC page, you need to click I'm Done Uninstalling the Security Bot after completing the uninstallation process.
7.The GitHub repositories will be removed from the Security dashboard. But, you can see the GitHub organization name in the Security dashboard.
A red dot present with the GitHub organization name indicates that the Security bot is successfully uninstalled.
8.If you want to remove the GitHub organization completely from the Security dashboard, click Disassociate Organization.
9.A pop message appears informing that the GitHub organization will be disassociated. Click Disassociate to continue with the disassociation process.
You have an option to suspend the Security service scanning without uninstalling the Security bot. When you suspend the Security service, the bot will not be uninstalled. You can revoke the suspension at any point of time by Unsuspending.
To suspend the Security service, perform the following steps:
1.Login into PCC.
3.The LFx Security GitHub App opens in a new tab. Click Suspend from the Danger Zone.
4.A pop message appears informing that the Security bot will be suspended. Click OK to continue with the suspension process.
5.The GitHub repositories are suspended from the Security dashboard.
A orange dot present with the GitHub organization name indicates that the Security bot is suspended.
3.The Security page appears. From the GitHub Onboarding tab, click the icon available next to Connect.
2. Search for the required project. The Project dashboard appears. Click Security from the TOOLS STATUS tab. The GitHub organizations are listed, select the settings icon and click Disassociate GitHub Org.
2. Search for the required project. The Project dashboard appears. Click Security from the TOOLS STATUS tab. The GitHub organizations are listed, select the settings icon and click Configure Security Bot.
To revoke the suspended Security service, click settings icon and click Configure Security Bot and click Unsuspend from the Danger Zone.
LFX Security has the following requirements:
The project repositories are hosted on a publicly accessible Git server
The project uses a supported programming language
LFX Security provides dependency and license support for the following programming languages:
Golang
Java
JavaScript
Node.js (npm)
PHP
Python
Ruby
Scala
.NET
LFX Security hosts open source projects that show security vulnerability information in the Vulnerability Report.
If your project is not hosted on LFX Security, you can submit a project application.
To submit a project:
Log in to LFX Security.
Click Secure My Project, you will be redirected to PCC. You have to onboard the project from PCC. Refer Onboarding your Project section for more information.
The authorization page allows you to authorize your account to view issues related to your projects.
You have to authorize your account only once when you log into Security to view issues for the first time. For the subsequent login, you need not have to validate your account.
You can validate your account by logging through:
GitHub
Gerrit
Member Organization
If you are a contributor or mentor of the project in GitHub, perform the following steps to validate your account to view issues related to your project:
On a project card of interest, click View Dashboard.
The Authorization page appears. Click Connect to GitHub.
3. The Authorization window between GitHub and Linux Foundation appears. Click Authorize linuxfoundation.
Provide the username and password of your GitHub account. Your GitHub account is now connected.
If you are a contributor or maintainer of the GitHub account, a green tick mark appears, and Continue as Contributor/Mentor button is enabled. Click the Continue as Contributor/Mentor to view issues related to the project.
If you're not a contributor or mentor, a red tick mark appears along with a message informing you that you are not a contributor or maintainer for the project.
Click Change to change the GitHub account.
You can log in as a member of the project to view issues. You set up your organization details in your dashboard using My Profile. Based on the organization that you have set up in My Profile, the screens vary when you try to access the issues as a member login.
In order to view issues, your organization should be a member of the Linux Foundation. If your organization does not have a membership associated with the Linux Foundation, you will see a message that informs you that your organization does not have a project membership.
If you have not added your organization details in My Profile, perform the following steps to authorize your account as a member:
On a project card of interest, click View Dashboard.
The Authorization page appears. Select the required organization from the Organization Name drop-down list and provide the associated email belonging to the organization in the Your Organization Email field.
3.The Send Code button is enabled, click Send Code to get the authorization code. You will receive the authorization code in the registered email ID. Enter the code and click Continue with Member Access to view project issues.
If you have added your organization name in My Profile along with the email ID, perform the following steps to authorize your account as a member:
On a project card of interest, click View Dashboard.
The Authorization page and the organization name are available in My Profile. The email ID is auto-populated in the Your Organization Email field. Click Continue with Member Access to view project issues.
You cannot edit the email ID. You can change the organization if needed by clicking Change.
To authorize your account using Gerrit, perform the following:
On a project card of interest, click View Dashboard.
The Authorization page appears. Click Connect to Gerrit.
It would help to have a valid Gerrit account set up in the Individual Dashboard.
If a valid Gerrit account is found, you can see the Dashboard page.
The Overview dashboard gives you an overall view of security issues and history of all the repositories in your project to make them prominent.
CVSS prioritizes vulnerability remediation activities and calculates the severity of vulnerabilities discovered in all your project repositories. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities. Vulnerabilities are classified into HIGH/MEDIUM/LOW severity for easy prioritization.
The Security Overview page provides information on the following:
Common Vulnerability Scoring System (CVSS) score
Secrets and Compliance Risk Score
CII Best Practice Score
Project Criticality Score
A donut chart on Code Secrets detected
List of recent alerts
Non Inclusive Language
A donut and bar graph charts on vulnerabilities detected
Version Tree
A pie chart on language details
To access Security Overview page, perform the following:
1.Login into LFX Security.
2.The Landing page appears. Go to your required project and click View Dashboard.
3.By default, you will see the Overview page.
LFX Security uses the Common Vulnerability Scoring System (CVSS) as a standard measurement for the severity of vulnerabilities. This score is the average of CVSS scores for all repos in the project.
LFX Security with collaboration from BluBracket provides this Secrets and Compliance Risk Score for each project. This score is the average of normalized Risk Scores for all repos in this project.
Secrets and Compliance Risk Score This is the average of Normalized Risk Scores for all repos in this project.
The score provides you the percentage of best practice followed for your project and the status of the best practice. On click of the score, you can see the details related to the CII Best Practice.
A project's criticality score defines the influence and importance of a project. This score provides you information on how critical is your project. Along with the critical score, it also provides other information such as:
Number of contributors in the project
Provides you the age of the project
Information on the recent releases
Number of months when the project was last updated
Number of dependents of your project
Code Secrets Detected donut chart provides you the number of code secrets detected in the project. It shows you various code secrets detected in the project. On click of the detected code secret, the page navigates to the Code Secret details page.
Recent Alerts provides you with list of code secrets alerts. This list provides you information on the type of code secrets detected across various repositories. It also list of the number of code secrets detected in the repository.
The Non Inclusive Language cloud chart displays the list of non inclusive words that are used in the project.
Dependency Issues Over Time **** shows a timeline of when security issues occurred and how many issues occurred at a certain time. Lines and icons in the timeline are colored to represent threat levels. Vulnerabilities Detected **** shows number of vulnerabilities according to their severity level.
You can also filter the issues based on Total Issues, Fixed Issues, Fixable Issues and Open Issues.
Use this information to prioritize your investigation and remediation. To prioritize vulnerabilities, you might target one high-threat issue first. Additionally, it is important to focus on threats detected multiple times in the scanned code. Resolving one of these issues can make a marked difference in the security of the overall codebase.
Version tree is a graphical representation of the version details for a particular repository. As and when the changes are updated for the repository, a new version of the repository is created. The version tree provides details such as version number, updated date and time.
By default version tree shows version information from beginning of GitHub Organization.
Language details is a graphical representation of the different code languages such as Go, Typescript, SCSS, HTML, PLpgSQL, shell and other languages available in the repository. Language details provides a pie chart that shows the code breakup percentage of the language for the GitHub repository. This percentage helps you to identify the various language used and the percentage of that language used in the repository.
You can also connect the GitHub account using My Profile, see for more details.
For more information on adding organization details to My Profile, see .
The Linux Foundation Core Infrastructure Initiative (CII) Best Practices badge is a way for Free or Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice. For more information on CII Best Practices, refer .
LFX Security detects vulnerabilities in the LFX projects. Projects that are part of the LFX receive free daily scans through the LFX Security service in order to detect vulnerabilities in code repositories as well as library dependencies. LFX projects include a Vulnerability Report, which gives an overview of vulnerability severities.
Only project maintainers can access Vulnerability Detection details to gain visibility into open security issues and paths to remediation.
As a project maintainer, you can access vulnerability scan details for projects based on the LFX service you opted while enrolling your project
To see vulnerability scan details for projects applied to LFX Security:
1.Login into LFX Security.
2.On the Landing Page, you can see Security Leaderboard and Project Cards.
3.On a project card of interest, click View Dashboard.
4.The page navigates to the Authorization Page. You need to authorize as Member or Contributor/Maintainer to view issues. For more information, refer Authorization Page.
If you are not authorized to see vulnerability report for a project or cannot view the dashboard, a toast message appears informing that you are not authorized to view issues.
A Foundation project group is a group of individual projects. Normally Foundation group hosts group of projects in a single Foundation project.
A Foundation project with group of individual projects are displayed as shown in the following image:
You can view the individual projects that are stacked in the Foundation project and check the issues related to the individual projects.
To view the individual projects, perform the following steps:
1.Click Go to Projects from the Foundation project.
2.The Security Summary is displayed along with the list of Individual project cards. The following Project Summary details are listed:
Repositories Successfully Scanned
Projects Successfully Scanned
Projects Partially Scanned
Issues Open
Fixable Issues
Issues Fixed
Languages
Upstream Dependencies
Types of Licenses Found
3. You can also check the issues related to the individual project by click of View Dashboard.
Security Leaderboard is a type of dashboard that provides prominent statistics related to LFX Security. The Security Leaderboard provides the following information related to the LFX Security:
Scanned repositories, vulnerability detected and fixed and also the recommended fixes
Top 10 Most Impactful Fixable Vulnerabilities
Top 10 Projects Most Active in Fixing Vulnerabilities
Top 10 Projects by Repositories Scanned
The Security Leaderboard dashboard provides overview information on the repositories, vulnerabilities and fixes. The following statistical information is available for repositories, vulnerabilities and fixes:
Number of scanned repositories
Number of vulnerabilities detected in the repositories
Number of recommended fixes provides for the detected vulnerability
Number of fixed vulnerabilities
Top 10 most impactful fixable vulnerabilities list shows you the top 10 fixable vulnerabilities along with the repositories impacted with the vulnerabilities, CVE and CWE. This list auto scrolls when you hover over the mouse on the list.
Top 10 projects most active in fixing vulnerabilities list shows you the top 10 projects that have actively fixed the detected vulnerabilities. The list provides you the project name and the number of vulnerabilities fixed. This list auto scrolls when you hover over the mouse on the list.
Top 10 projects by repositories scanned list shows you the top 10 projects with the highest number of repositories scanned in the project. The list provides you the project name and the number of repositories scanned for the project. This list auto scrolls when you hover over the mouse on the list.
Vulnerabilities in project code can cause a range of problems for your project and the developers who use it. LFX Security shows vulnerabilities in your repositories and helps you to remediate risks with automated updates and patches.
For each repository, LFX Security maps the dependencies and correlates them with the vulnerability database. You can investigate and remediate certain types of vulnerabilities in your Git repository. For example, an injection vulnerability means your project does not guard against code being injected in your system to extract, damage, or destroy data. Investigate the issue details to find out how to remediate the vulnerability if possible.
If possible, address a vulnerability by upgrading to a vulnerability-free version of the package you are using. If you cannot upgrade, because no sufficient direct upgrade is available or because the upgrade includes breaking changes, another option is to apply a patch. A patch changes the locally installed package file to fix the vulnerability. If an upgrade or patch is unavailable, assess the issue and weigh risk against effort. If the risk is high, consider removing the dependency.
Issues tab provides a list with all the issues related to the project. The issue list provides information such as repository name, open issues, type of issues such as critical, high, medium and low. You can also see the complete details related to a issue.
To view issues, perform the following:
1.Select Issues from the top menu. The dashboard shows all vulnerabilities with their details, and total number of open and fixed issues. By default, only Open status issues appear—use the filter to show Fixed issues.
2. You can search for a particular repository using the Repositories drop-down list. You can select the required repositories and check the issues and their details.
3.You can view the total number of open and fixed issues for a repository by clicking the View Details.
4. You can see the Open issues related to the repository. You can also refine the issues based on the priority such as Critical, High, Medium and Low.
Details about the issue, and when possible, a remediation and references to the corresponding PR, issue, CWE, CVE, or GHSA record, and so on.
Read the details and decide how you want to fix the vulnerability, for example, by applying a Snyk patch
You should have the necessary permission to dismiss the issue. With out necessary permissions, the eye icon will not be available to dismiss issue.
7. Investigate the vulnerabilities by opening the provided links to go directly to various websites for specific information about the vulnerability. For example:
Click a GitHub PR link, a GitHub Commit, and then a GitHub Issue link to learn more about the corresponding pull request, commit, and issue, respectively.
You have an option to download the CSV file that contains issues related to your repository. The downloaded CSV file contains information such as:
Repository ID
Snyk ID
Status
Remediation
Severity
Disclosure and Publication time
Along with the above listed information, it also contains other generic information.
You can download the issues related to all repositories or for the selected repositories and for the required date range.
To download the issues CSV file, perform the following:
1.Select Issues from the top menu.
LFX Security looks for vulnerabilities in your open-source dependencies and identifies the vulnerabilities. The Dependency Tree dashboard provides detailed information about any dependencies in a repository and maps the full application dependency tree. You can view details about a specific dependency and see which repositories are using it. The way the repository uses a dependency affects the problem severity level.
Vulnerabilities can be caused by either direct or deep dependencies.
A direct dependency is a package that you have included in your own repository.
A deep (indirect) dependency is a package that you are not using directly, but one that is used by one of your direct dependencies. For example, if your application is using package A, and package A is using package B, then your application is indirectly depending on package B. And if package B is vulnerable, your project is vulnerable.
As an open-source developer, you should understand the direct and indirect dependencies your repositories and projects use, including any security flaws that might exist in the dependency tree. LFX Security determines all the paths through the dependency tree in which a vulnerable dependency can be reached, and identifies the vulnerability.
To view all dependencies, perform the following:
1.Select Dependency Tree from the top menu and click All Dependencies.
A snapshot of dependencies in the repository in a tree format of the dependencies appears. The tree repository order is descendant from the greatest number of dependencies in a repository to the least number. Each item (a branch or a node) can have a number of subitems. By default, the first three levels appear. Expand nodes of interest to drill down in the tree.
2. You can select a repository from the Repository drop-down list or select using a Manifest file from the Manifest drop-down list. Only dependencies for the selected repository or manifest file for the selected project appear.
3.Navigate the tree to identify vulnerable dependencies in the repository. The issues are categorized for different Manifest files. The Manifest file lists the node level and child level dependences.
Each repository shows you the number of issues in the repository along with the criticality of the issue. Each criticality is defined with a different color.
A View button is available at the deeper level to go ahead and check the issue details. The color of the button will also indicate the criticality of the issue.
4.Click a license of interest to go to SPDX and find out more information about a license. The SPDX License includes a full name, standardized short identifier, vetted license text, and other information about the license.
You can also check the vulnerability details only for a particular repository.
To check the vulnerability details only, perform the following steps:
1.Click Dependency Tree and select Vulnerabilities Only.
2. List of vulnerabilities related for a particular repositories or Manifest file are listed. The rest of the details related to issues is similar to what is explained under All Dependencies Section.
The warning icon provides information on why the security scan is failed for the repositories.
5.Click the icon to see more details and to investigate the vulnerabilities. You can check the following details related to vulnerabilities:
You can use the icon to dismiss the vulnerability. You can dismiss the vulnerability incase if you feel the issue cannot be fixed, if the issue is minor or you do not want to fix the issue.
6.You can also click a CWE-# link , CVE-# link, or GHSA link to read a description, references, and so on, about the vulnerability. The or or shows an identifier and details for the vulnerability by an identifier.
2.From the Issues banner, click the icon. The exports.csv file will be downloaded. You can check all the information related to the repository issues in the downloaded file.
Click the download icon to download the dependency CSV file.
A icon is also available which suggests that there are issues still available further in the child level dependencies.
Click the download icon to download the vulnerabilities CSV file.
LFX Security has collaborated with BluBracket to scan for valuable private information and non-inclusive words in open source code, we call this information “code secrets”. Unearthing code secrets has made the open source projects more secure and the code security is enhanced to a great extent by detecting and monitoring the risks thus improving the code.
Code Secrets Detected donut chart provides you the number of code secrets detected in the project. It shows you various code secrets detected in the project. On click of the detected code secret, the page navigates to the Code Secret details page.
After onboarding the projects, scanning of projects for code secrets is carried out by LFX Security platform. The LFX Security platform will scan the repositories and detect the code secrets and notifications for the selected organization or repository.
LFX Security will scan the repositories and organizations for code secrets such as passwords, JWT tokens, AWS access keys, terraform state file and non enterprise webhooks.
To access code secrets for a project or repository, perform the following steps:
1.Login to LFX Security and select the required project and click View Dashboard.
2.Select Code Secrets from the top menu. The Code secrets are listed under the CODE SECRETS EXPOSED tab.
3. The list provides the following details related to the code secrets:
Detected On- Date and time when the code secret is detected
Alert Type- Type of code secret that is been detected
Repository - Name of the repository which contains the code from where the code secret has been detected
Developer - Name of the developer who has checked in the code in the repository
Status - Status of the code secret whether the code secret has been resolved or reviewed
Take Action - Allows you to take action on the code secrets.
You should have the necessary permission to take action on the code secrets. With out necessary permissions, the Take Action tab will not be available to take action on code secrets.
The Code Secrets Revealed tab provides you the list of code secrets associated with the project or repository. You can check the details of the listed code secret with the help of Take Action tab.
To check the details related to the listed code secrets, perform the following steps:
1.Select Code Secrets from the top menu. The Code secrets are listed under the CODE SECRETS REVEALED tab.
3. The code secret details box appears with a list of all the details related to the code secret. The following details are available for you to check out:
File Details
Name - A hyperlink that will navigate you to the exact line of the code which is a potential threat or vulnerability.
Private Key - The code secret that was identified in the file. The value is masked such that it doesn’t show the exposed code secret value. To see the code secret, click on the filename or the commit ID.
Secret Hash - The hash ID value for the code secret.
Repository Details
Organization - Name of the GitHub organization.
Provider - Name of the provider where the code is hosted.
Description - A short info on the organization.
Commit Details
Commit ID - A hyperlink that will navigate you to the ID who has checked in the code.
Time - Date and time when the code is checked in.
Committed By - Name of the developer who has checked in the code.
Message - This is the message associated with the git commit when the code secret was introduced into the repository. This may provide a hint as to why the code secret was added or which bug fix or feature enhancement is associated with the change.
Project Maintainers can perform various actions on the code secrets. These actions will help to mitigate the vulnerabilities for the code and the project. The icon provides you all the required details related to the code secrets, based on the details available, you can perform certain actions on these code secrets.
To perform actions on the code secrets, perform the following steps:
1.Select Code Secrets from the top menu. The Code secrets are listed under the CODE SECRETS REVEALED tab.
3. The code secret details box appears with a list of all the details related to the code secret. Click Actions and select the required action to be performed for the listed code secret.
4.Under Actions, you can see the following actions:
Resolve - Use this option to resolve the code secret
Ignore - Use this option to ignore the code secret
False Positive - Use this option if you think the mentioned code secret is not a code secret
LFX Security allows you to categorize the code secrets using various parameters. Following are few of the categories available to filter or categorize code secrets:
Alert Type
Repository
Developer
To add filter, perform the following:
1.Click Add Filters + and select the required filters and click Apply Filters.
Code secrets will provide generic notifications related to the repositories. These notifications are generic notifications which are not fatal even if ignored. These notifications will provide information to the project maintainers on their projects and repositories.
Few of the notifications provided by code secrets are:
Web hook URL non enterprise
Repo forked
Users edited in the repo
LFX Security will scan the repositories and organizations and provide various notifications related to them.
To access code secrets notifications for a project or repository, perform the following steps:
1.Login to LFX Security and select the required project and click View Dashboard.
2.Select Code Secrets from the top menu. The Code secrets notifications are listed under the NOTIFICATIONS tab.
3.The list provides the following details related to the code secrets notifications:
Detected On- Date and time when the code secret notification is detected
Event Type - Type of code secret notification that is been detected
Repository - Name of the repository which contains the code from where the code secret notification has been detected
Developer - Name of the developer who has checked in the code in the repository
To check the details related to the listed notification, perform the following steps:
1.Select Code Secrets from the top menu. The Code secret notifications are listed under the NOTIFICATION tab.
3. The notification details box appears with a list of all the details related to the notification. The following details are available for you to check out:
Repository - Name of the repository
Repo URL - URL of the repository
Source Repo URL - Source URL of the repository
You can filter the notifications based on the event types.
To add filter, perform the following:
1.Click Add Filters + and select the required filters and click Apply Filters.
LFX Security in collaboration with BluBracket scans for non inclusive language. Non inclusive language that depict people unfairly in an insulting manner and exclude people based on their ethnicity, gender or color. Usage of these words or language is not expected use in the open source code.
LFX Security will scan for the non inclusive language which might have been added by the developers unintentionally without their knowledge. Some of the generic non inclusive words that are used in the code are blacklist, whitelist, slave, master.
To view non inclusive language, perform the following steps:
2.Select NON-INCLUSIVE LANGAUGE from the top menu.
3.The list provides the following details related to the non inclusive language:
Detected On - Date and time when the code is scanned
Description - Non inclusive language used in the code
Repository - Name of the GitHub repository which contains the code from where the non inclusive language has been detected
Developer - Name of the developer who has checked in the code in the repository
Notify - Notification button which can be used to notify the developer
When you click on the Description of the non inclusive language, you will be taken to the line of the code where non inclusive language has been used.
You have an option to notify the developer who has added non inclusive language in their code. This notification feature will allow the developer to remove or replace the non inclusive language.
You should have the necessary permission to take action related to notifying a developer for non inclusive language. With out necessary permissions, the Notify button will not be available to take action on non inclusive language.
To notify a developer on usage of non inclusive language, perform the following steps:
1.Select NON-INCLUSIVE LANGAUGE from the top menu.
2.Under Notify tab, click Send Reminder. A confirmation dialog box appears informing that a notification will be send to developer. A notification email is delivered to developer who has added the non inclusive language.
You can see Notified along with a green tick mark when a notification is sent to the developer.
You cannot send a reminder to developer, if the developers email is marked as private.
3.A confirmation dialog box appears informing that a notification will be sent to developer. Click Send Notification to confirm.
3.You can also send a reminder notification to the developer if the developer has not replaced the non inclusive language even after a notification. Click Remind Developer to send a reminder notification.
LFX Security allows you to categorize the non inclusive words using various parameters. Following are few of the categories available to filter or categorize non inclusive words:
Description Filters
Repository Filters
Developer Filters
Notify Filters
To add filter, perform the following:
1.Click Add Filters + and select the required filters and click Apply Filters.
2. Click the icon listed in front of Take Action.
2. Click the icon listed in front of Take Action.
- Icon to minimize and maximize the code secret details.
The Notifications tab provides you the list of notifications associated with the project or repository. You can check the details of the listed notification with the help of the icon.
2. Click the icon listed in front of the notification.
1.Login to , select the required project and click click View Dashboard.
LFX Security identifies the licenses that are used by your projects and their dependencies.
To get the license information, perform the following:
1.Select Licenses from the top menu. All licenses are listed in alphabetical order for the dependencies in a project by their license identifier. For example, Apache-2.0
. The list also shows the number of dependencies for each license. Dependencies with more than one license are shown individually.
3.The SPDX License includes a full name, standardized short identifier, vetted license text, and other information about the license.
2.Click a license identifier **** icon to go to the SPDX License and find out more information about a license.